New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers

Mar 21, 2023Ravie LakshmananLinux / Server Security

Poorly managed Linux SSH servers are being targeted as part of a
new campaign that deploys different variants of a malware called
ShellBot.

“ShellBot, also known as PerlBot ^[1], is a DDoS Bot malware
developed in Perl and characteristically uses IRC protocol to
communicate with the C&C server,” AhnLab Security Emergency
response Center (ASEC) said ^[2]
in a report.

ShellBot is installed on servers that have weak credentials, but
only after threat actors make use of scanner malware to identify
systems that have SSH port 22 open.

A list of known SSH credentials is used to initiate a dictionary
attack to breach the server and deploy the payload, after which it
leverages the Internet Relay Chat (IRC ^[3]) protocol to communicate
with a remote server.

This encompasses the ability to receive commands that allows
ShellBot to carry out DDoS attacks and exfiltrate harvested
information.

ASEC said it identified three different ShellBot versions –
LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK
– the first two of which offer a variety of DDoS attack commands
using HTTP, TCP, and UDP protocols.

PowerBots, on the other hand, comes with more backdoor-like
capabilities to grant reverse shell access and upload arbitrary
files from the compromised host.

The findings come nearly three months after ShellBot was
employed in attacks ^[4]
aimed at Linux servers that also distributed cryptocurrency miners
via a shell script compiler.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.

RESERVE YOUR
SEAT ^[5]

“If ShellBot is installed, Linux servers can be used as DDoS
Bots for DDoS attacks against specific targets after receiving a
command from the threat actor,” ASEC said. “Moreover, the threat
actor could use various other backdoor features to install
additional malware or launch different types of attacks from the
compromised server.”

The development also comes as Microsoft revealed ^[6]
a gradual increase in the number of DDoS attacks targeting
healthcare organizations hosted in Azure, surging from 10-20
attacks in November 2022 to 40-60 attacks daily in February
2023.

Found this article interesting? Follow us on Twitter ^[7]
and LinkedIn ^[8]
to read more exclusive content we post.

References

^{^}
PerlBot
(malpedia.caad.fkie.fraunhofer.de)
^{^}
said
(asec.ahnlab.com)
^{^}
IRC
(en.wikipedia.org)
^{^}
employed
in attacks (thehackernews.com)
^{^}
RESERVE YOUR SEAT
(thn.news)
^{^}
revealed
(www.microsoft.com)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)